Marble Framework 
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Overview 


•Objectives and Design 

• Concepts and Vocabulary 

• How it works 

• Setting it up for your projects 

• Examples 

• Docu mentation 

•Troubleshooting and Issue Reporting 



Objectives 


•An obfuscation framework that doesn’t require us to copy and paste a 
lot 

• Flexible and provides good coverage 

• Doesn’t provide a signature - or helps us reduce our chances 
•Simple and easy-to-use 

• Integrate it into the build process (utilize pre and post build events??) 



Design 


• Large pool of algorithms 

• Use a Pre-Build Event to modify all source files 
•Obfuscate Strings and Data 

• Build Project 

• Use a Post-Build Event to restore source files (never let the source 
corrupted) 

•Validate that everything in the binary is obfuscated as intended 



Concepts and Vocabulary 


• Four Parts: Mibster (Modifier), Mender, Validator, Marbles 
(algorithms) 

• Choose from a pool of algorithms 

• Mibster chooses Marble 

• Store a clean/gold copy of the source 

• Mibster 

• Use Pre and Post Build Events in Visual Studio to automate 

• Modify Source, Build, and Repair 

• Mibster and Mender 
•Validation 

• Validator 



Concepts and Vocabulary 


Receipt 


Binary 



1. Mibster modifies source and generates receipt 

2. Build Project 

3. Mender restores source to original form 

4. Validate strings/data scrambling in resulting binary 



How It Works - Mibster 


• Choosing an algorithm from the pool 

• Default: Choose randomly from full pool 

• Choose a single algorithm 

• Remove sets from the pool 

• Remove single algorithm from the pool 

• Marble. h is how you modify your pool 

• I’ll come back to this - don’t worry about it for now 



How It Works - Mibster 


• So now we have our algorithm... 

•Walk directory looking for source files (*.c, *.h, *.cpp) 

• Keep a list of files that have strings that need obfuscated 
•Create Gold Copies ** IMPORTANT** - Fail If Issue 

• Modify Source - Replace string/data with obfuscated source and 
unscramble code. 

•Generate a receipt that identifies algorithm, files modified, and 
strings/data obfuscated (good to keep for documenting build) 



How It Works 


1. Pick from Marble pool using Marble.h 

2. Scan source, create gold copies 

3. Modify Source 

4. Generate Receipt 




How It Works - Project Build 


• Using Pre-Build Event causes Mibster to make modifications 

• Watch Output to see status (line numbers and obfuscation checks) 

• Any failures in Mibster cause a failure to build 

• You can always mend 






How It Works - Mender 


• Scan for any modified source 

• Restore source to pre-build state 

• Notify user of modifications 






How It Works - Validator 


•Take the receipt generated by Mibster 
•Load all pre-obfuscation strings 

• Check them against compiled binary 

• Notify user of results 


Binar 




Setting It Up 

• Use EDG Project Wizard 
or 

•Core Library Repository (CorelibXMarble) 

•Add as a submodule 
•Contains a ReadMe.txt 

• MoveFile(Marble.horig, $(SolutionDir)Shared\Marble.h); 

• Include Marble.h and Deobfuscators to your project 
•Add to project “Additional Includes” 

•Add Pre and Post-Build Events 

• More explicit directions in ReadMe and on Confluence (search: 
Marble) 



Setting It Up - Marble. h 


• Most all of the modifications (if any) you will make after setup are to 
Marble. h 

• A header file filled with commented out includes for each Marble 
•Allows you to specify either the algorithm to use or the pool of 

algorithms to use. 

• Default: Choose a random one from the entire pool 



Setting It Up - Marble. h 


;cn.h 

| Marble.h -c 

d MarbleTester.cpp Unicode.h 

UTF8.h 

arbleTi 

ester 


- (Global Scope) 

68 

1 



69 

a//Class random key forward through array, constructor only, private variable, zero clear 

70 

//#include "MBI 

. CLASS XORlD.h" 


71 

r 



72 

□ //Class random 

key backwards through array, constri 

jctor only, private variable, zero clear 

73 

1 //#include "MBI 

. CLASS X0R2D.h" 


74 




75 

□ //Class random 

key forward through array, construct 

:or only, private variable, random clear 

76 

1 //#include "MBI 

. CLASS X0R3D.h" 


77 




78 

□ //Class random key backwards through array, constri 

ictor only, private variable, random clear 

79 

1 //#include "MB 

._CLASS_X0R4D. h" 


81 

□ //Class random 

key forward through array, construct 

:or only, separate function, private variable, zero clear 

82 

1 //#include "MB 

. CLASS X0R5D.h" 


83 

[ 



84 

□//Class random 

key backwards through array, constri 

jctor only, separate function, private variable, zero clear 

85 

1 //#include "MB 

. CLASS X0R6D.h" 


86 

r 



87 

□ //Class random 

key forward through array, construct 

:or only, separate function, private variable, random clear 

88 

1 //#include "MB 

. CLASS XOR7D . h " 


89 

r 



90 

□//Class random 

key backwards through array, constri 

jctor only, separate function, private variable, random clear 

91 

I //#include "MB 

. CLASS X0R8D.h" 


92 

r 



93 

□ //Class random 

8-byte key forward through array, ci 

instructor only, public variable, zero clear 

94 

1 //#include "MB 

. CLASS X0R9D.h" 


95 

r 



96 

□ //Class random 

8-byte key backwards through array. 

constructor only, public variable, zero clear 

97 

1 //#include "MB 

. CLASS XOR10D. h" 


98 

r 



99 

□ //Class random 

8-byte key forward through array, ci 

instructor only, public variable, random clear 

100 

1 //#include "MB 

-_CLASS_X0R11D . h " 


101 

r 



102 

□ //Class random 

8-byte key backwards through array. 

constructor only, public variable, random clear 

103 

//#include "MB 

-_CLASS_X0R12D.h" 


n 






Setting It Up - Marble. h 


Choose a specific algorithm 


Choosing A Specific Algorithm 

1 //Class random key forward through array, constructor only, private variable, zero clear 

2 //#include "MBL_CLASS_XORlD.h" 

3 

4 //Class random key backwards through array, constructor only, private variable, zero clear 

5 ttinclude ”HBL_CLASS_X0R2D.h" 

6 

7 //Class random key forward through array, constructor only, private variable, random clear 

8 //ffinclude "MBL_CLASS_X0R3D.h" 

9 

IB //Class random key backwards through array, constructor only, private variable, random clear 
11 //#include "MBL_CLASS_X0R4D.h" 


Filter pool: Use only C algorithms 

Use only C algorithms 

2 Define NOCPP if you wish to only choose from the pool of obfuscation techniques that do not/not pull in the C++ runtime. 

3 */ 

4 #define NOCPP //Always use forward slashes to comment out this define 


Setting It Up - Marble. h 


Exclude a specific algorithm 


Exclude Specific Algorithms 

1 //Class random key forward through array, constructor only, private variable, zero clear 

2 //ffinclude ”MBL_CLASS_XORlD.h" 

3 

4 //Class random key backwards through array, constructor only, private variable, zero clear 

5 //--#include "MBL_CLASS_XOR2D.h“ 

6 

7 //Class random key forward through array, constructor only, private variable, random clear 

8 //^include "MBL_CLASS_XOR3D.h" 

9 

10 //Class random key backwards through array, constructor only, private variable, random clear 

11 //ffinclude "MBL_CLASS_XOR4D.h" 


Examples 


Supplied typedefs: CARBLE and WARBLE 


26 typedef wchar_t WARBLE; //For Obfuscating Wide-Char Arrays 

27 typedef char CARBLE; //For Obfuscating Char Arrays 

28| | 




Examples - CARBLE 


CARBLE 

1 #include <Windows.h> 

2 ^include “Marble. h" 

3 

4 int wmain(int argc, wchar_t* argv[]) 

5 { 

6 //Normal Text 

7 CARBLE cOne[] = "This is a test of a string obfuscation technique"; 

8 

9 //Text with braces, semi colons escaped characters (including \x) 

10 CARBLE cTwof] « " Text with weird {spaces} in; the text\n\n\t\tabc\x22\x33 124"; 

11 

12 //You can also use curly braces to define your string/data (must be two characters following 0x) 

13 CARBLE cThree[] - { 

14 0x32, 0xD7, 0x08, 0x57, 0x34, 0x34, 0xC8, 0x4B, 0xC5, 0xA8, 0x53, 0x45, 0xF2, 0X0D, 0xB7, 0xF0, 

15 0x5F, 0xD2, 0xED, 0xEA, 0xEl, 0x73, 0x2B, 0xCA, 0xFE 

16 }; 

17 return 0; 

18 } 


Examples - WARBLE 


WARBLE 

1 ffinclude <Windows.h> 

2 ffinclude "Marble. h” 

B 

4 int wmain(int argc, wchar_t« argv[]) 

5 { 

6 //Normal strngs including escaped characters as well as \x 

7 WARBLE wcOne[] - L" Text with V'weird spaces; in the text\n\n\t\tabc\x2233\x3344 124"; 

8 

9 //Normal Wide-Char string - can't be multi-line 

16 WARBLE wcTwo[] » L"Creates or opens a file or I/O device. The most commonly used I/O devices are as follows; file, file stream, directory, phy 

12 //WCHAR array is supported 

13 WARBLE wcThree[] - { 

14 0X0000, 0x1122, 0x3344, 0x5566, 0x7799, 0x0000, 0x1122, 0x3344, 0x5566, 0x7799, 8x0000, 0x1122, 0x3344, 0x5566, 0x7799, 

15 0X0000, 0x1122, 0x3344, 0x5566, 0x7799, 0X0000, 0x1122, 0x3344, 0x5566, 0x7799, 0X0000, 0x1122, 0x3344, 0x5566, 0x7799 

16 }; 

18 //Add foreign languages 

19 //Arabic 

26 WARBLE wcArabic[] - L'Ll! pj L«.sa.1.il LaJjjj oli .Ja „u-> iuLUl ijl j_> , , j i AJ7 i p> j ii tliSJi P Li j-j „JI jju.lli JLuJi uybl ,eu» 

21 

22 //Chinese 

23 warble wcchinesen . L">mfi>ft Man & sbs, sin* *»* * on mm *w« ts m, m m *w*e sett*, si smm a 

25 //Russian 

26 WARBLE wcRussian[] « L"3ua Ha HOHioMaui kohtwht6oh3x. Bnfl3 6naHAMT aH KByfi, flyo flexaM anuxiope aa. Mh ahkht Monb/in3 AffhbbHKaTeauiMMn xht. Ha Manb 

27 

28 //Korean 

29 WARBLE wcKoreant] - l"AH 4T 4=2 life gg oyggf. CHVg2l, ^2J SCHS, CHS SEJ12I S3* 2J2D1IJ 220iaE gg SOIXI gte EfCHl $ 

30 

31 //Farsi 

32 WARBLE wcFarsi[] = I " _-.it n o) i_j r J -. n PJ> J: Lorem ipsum) aJj-j pLjL-j u ij .oi- j ^ 

33 

34 return 0; 

35 } 




Limitations 


•CARBLE and WARBLE must be used inside of functions 
•Supports string literals and arrays 

• Use square braces([ ]) not pointers ( * ) 

•All source files must be ANSI, UTF-8, or Unicode 

• No support for \U, \u or \ooo (octals) in string literals 

• When specifying \x or Ox 

• 4 following characters for WARBLE 

• 2 following characters for CARBLE 
•Sting literals cannot be multiple lines 



Documentation 


• All of this and more is on Confluence 
•Search: Marble or Marble Framework 

• Current list of Marbles 

• Detailed setup instructions for both EDG Project Wizard and manual 
setup 

•Diagrams, Descriptions, Definitions 

• How to add to the framework 

• How to report issues 
•Test Harness 

•Etc 

•These slides... 



Debugging and Troubleshooting 


• Having problems with an algorithm? 

• Remove it from the pool 

• Report the issue 

• Need to debug with obfuscation in place? 

• Get rid of the Mender Post-Build Event 

• Run Mibster 

• Debug 

• Run Mender 

• Make Changes to code 

• NEVER MAKE CHANGES BEFORE MENDING!!! 



Questions?? 



